Overview

overview

10

Static

static

3

154da8be0f...18.dll

windows7-x64

10

154da8be0f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    154da8be0f63b46282c11abb354d7143_JaffaCakes118.dll

  • Size

    340KB

  • MD5

    154da8be0f63b46282c11abb354d7143

  • SHA1

    327ac2d0271fb927299a75c4afe60ff1509d1df4

  • SHA256

    b811cf493d1b572ccffeaa8df73e2a71e5cb14a273f2fe4e166ff0e4c0044558

  • SHA512

    7bdc83d02bbb69e95397ab57022bdc422aca077ab63d674d54d8127e7930d09d9a243db59330d731448838bee55b784a72b4970f2ff244ad140f7a3f9eb86bfd

  • SSDEEP

    3072:eaMzcgvVx/hTODMjZXTXU1p5o9qlnqYnzfIBdzfVKZqzsoq8na1zFzuJz93llvvK:mcgD/xGMFXTXIrfgdTVPsDUJdzu0

Score
10/10
ramnitbankerspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\154da8be0f63b46282c11abb354d7143_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\154da8be0f63b46282c11abb354d7143_JaffaCakes118.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Local\Temp\889vwL3
        "889vwL3"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:4288
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 208
              5⤵
              • Program crash
              PID:4088
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2484
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4756
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:17416 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4932
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:2604
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 216
                5⤵
                • Program crash
                PID:872
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4064
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:5068
            • C:\Users\Admin\AppData\Local\Temp\xoiblvpwyxiakfjt.exe
              "C:\Users\Admin\AppData\Local\Temp\xoiblvpwyxiakfjt.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 660
            3⤵
            • Program crash
            PID:4496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
        1⤵
          PID:2328
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4288 -ip 4288
          1⤵
            PID:1692
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2604 -ip 2604
            1⤵
              PID:4136

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\889vwL3
              Filesize

              95KB

              MD5

              4e05a5ca4bac745470e7b44d61588ea6

              SHA1

              4ab1df32c49f3d01f76499a6d23b97ac7be9a76f

              SHA256

              061d78173b58243979f0ac85b323efeeaf781d2c7a6addca8668d116a11a4abe

              SHA512

              0d10ab9e4de262bc89730ff6ae57a7dd89cc1b9cbe02641c4dc089262eb7db8a88dec6a078eff3b2728c4397c88fb1beadab7a8aa076b1ea3b6db1b9aeb98a8b

              Download Submit
            • memory/1528-33-0x0000000000400000-0x000000000043A028-memory.dmp
              Filesize

              232KB

              Download
            • memory/1528-39-0x0000000000400000-0x000000000043B000-memory.dmp
              Filesize

              236KB

              Download
            • memory/1528-38-0x0000000000400000-0x000000000043A028-memory.dmp
              Filesize

              232KB

              Download
            • memory/1528-35-0x0000000000400000-0x000000000043B000-memory.dmp
              Filesize

              236KB

              Download
            • memory/2256-16-0x0000000000400000-0x000000000043B000-memory.dmp
              Filesize

              236KB

              Download
            • memory/2256-32-0x0000000000400000-0x000000000043B000-memory.dmp
              Filesize

              236KB

              Download
            • memory/2256-9-0x00000000004A0000-0x00000000004A1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2256-5-0x0000000000400000-0x000000000043A028-memory.dmp
              Filesize

              232KB

              Download
            • memory/2256-6-0x0000000000400000-0x000000000043B000-memory.dmp
              Filesize

              236KB

              Download
            • memory/2256-10-0x0000000000950000-0x0000000000951000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2256-21-0x0000000077952000-0x0000000077953000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2256-20-0x0000000000400000-0x000000000043A028-memory.dmp
              Filesize

              232KB

              Download
            • memory/2256-23-0x0000000000400000-0x000000000043A028-memory.dmp
              Filesize

              232KB

              Download
            • memory/2256-24-0x0000000077952000-0x0000000077953000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2256-12-0x0000000000400000-0x000000000043A028-memory.dmp
              Filesize

              232KB

              Download
            • memory/4288-14-0x00000000007D0000-0x00000000007D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4288-13-0x00000000007F0000-0x00000000007F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4884-0-0x00000000011D0000-0x00000000011D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4884-4-0x000000001000B000-0x000000001000C000-memory.dmp
              Filesize

              4KB

              Download